VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 6, 2024· Updated Feb 13, 2025

CVE-2024-28161

CVE-2024-28161

Description

In Jenkins Delphix Plugin 3.0.1, SSL/TLS certificate validation for DCT connections is disabled by default, exposing communications to machine-in-the-middle attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

In Jenkins Delphix Plugin 3.0.1, SSL/TLS certificate validation for DCT connections is disabled by default, exposing communications to machine-in-the-middle attacks.

Vulnerability

Overview

CVE-2024-28161 affects the Jenkins Delphix Plugin version 3.0.1, where a global option controlling SSL/TLS certificate validation for connections to the Delphix Data Control Tower (DCT) is disabled by default [1][3]. This means that even if an administrator intends to enforce secure communication, the plugin will accept any certificate presented by the DCT server, including self-signed or fraudulent certificates. The root cause is that the plugin's default configuration prioritizes ease of setup over security, a common pitfall in Jenkins plugins [1].

Attack

Vector and Prerequisites

An attacker with a machine-in-the-middle position on the network between the Jenkins controller and the DCT server can exploit this misconfiguration [1]. No Jenkins credentials are required beyond network access to intercept or modify the traffic. The attack does not require any prior authentication to the Delphix Plugin or Jenkins itself, as the vulnerability lies purely in the default transport-layer security settings [3].

Impact

By disabling certificate validation, the plugin becomes susceptible to spoofing, eavesdropping, and data tampering. An attacker can impersonate the DCT server, decrypt sensitive communications, and inject malicious responses that could lead to unauthorized data operations or further compromise of the Jenkins environment [1][3]. The plugin's integration with Delphix DevOps Data Platform means that attackers could potentially provision or destroy data environments, impacting CI/CD pipelines and data integrity [4].

Mitigation

The Jenkins Security Advisory recommends updating to Delphix Plugin version 3.0.2 (or 3.1.1) which addresses this issue by enabling certificate validation by default [1][2]. Administrators should also verify that the global SSL/TLS setting is explicitly enabled in plugin configuration. No workarounds are provided for the vulnerable version; upgrading is the only remediation [2]. This CVE is not currently listed in CISA Known Exploited Vulnerabilities (KEV) as of publication.

References
  1. Jenkins Security Advisory 2024-03-06
  2. security - Multiple vulnerabilities in Jenkins plugins
  3. NVD - CVE-2024-28161
  4. GitHub - jenkinsci/delphix-plugin: Integrate the Delphix DevOps Data Platform with Jenkins CI/CD pipelines

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:delphixMaven
>= 3.0.1, < 3.0.23.0.2

Affected products

2

Patches

1
5a7c027098b7

Merge pull request #31 from jenkinsci/bug-fix

https://github.com/jenkinsci/delphix-pluginankit-patil-hubsJul 19, 2023via ghsa
commit
6 files changed · +15 9
  • pom.xml+5 3 modified
    @@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <parent>
         <groupId>org.jenkins-ci.plugins</groupId>
@@ -19,6 +20,7 @@
     <name>Delphix Plugin</name>
     <description>Integrate Jenkins with Delphix DevOps Data Platform(s).</description>
 
+
     <licenses>
         <license>
             <name>Apache-2.0</name>
@@ -34,12 +36,12 @@
         </developer>
     </developers>
 
-    <url>http://wiki.jenkins-ci.org/display/JENKINS/Delphix+Plugin</url>
+    <url>https://github.com/jenkinsci/${project.artifactId}-plugin</url>
     <scm>
         <connection>scm:git:https://github.com/jenkinsci/${project.artifactId}-plugin.git</connection>
         <developerConnection>scm:git:git@github.com:jenkinsci/${project.artifactId}-plugin.git</developerConnection>
         <url>https://github.com/jenkinsci/${project.artifactId}-plugin</url>
-        <tag>delphix-3.0.0</tag>
+        <tag>delphix-3.0.2</tag>
     </scm>
 
     <dependencyManagement>
  • README.md+2 2 modified
    @@ -1,10 +1,10 @@
-# Delphix Plugin
+# Delphix Jenkins Plugin
 
 [![Build Status](https://ci.jenkins.io/buildStatus/icon?job=Plugins/delphix-plugin/master)](https://ci.jenkins.io/job/Plugins/job/delphix-plugin/)
 [![Jenkins Plugins](https://img.shields.io/jenkins/plugin/v/delphix.svg)](https://plugins.jenkins.io/delphix)
 [![License](https://img.shields.io/github/license/jenkinsci/delphix-plugin.svg)](LICENSE)
 
-The Delphix plugin allows Jenkins to connect to Delphix DevOps Data Platform(s) and execute data operations using the Data Control Tower (DCT) APIs.
+The Delphix Jenkins Plugin allows Jenkins to connect to Delphix DevOps Data Platform(s) and execute data operations using the Data Control Tower (DCT) APIs.
 
 #### Table of Contents
 1.  [Introduction](#Introduction)
  • src/main/java/io/jenkins/plugins/constant/Constant.java+1 0 modified
    @@ -11,4 +11,5 @@ public class Constant {
     public static final String CLIENT_NAME_HEADER = "x-dct-client-name";
     public static final long WAIT_TIME = 20000;
     public static final String API_VERSION = "/v3";
+    public static final int TIMEOUT = 120000;
 }
  • src/main/java/io/jenkins/plugins/util/DctSdkUtil.java+4 1 modified
    @@ -38,9 +38,12 @@ public DctSdkUtil(Run<?, ?> run, TaskListener listener, String credId) {
             return;
         }
         this.defaultClient = Configuration.getDefaultApiClient();
-        if (!DelphixGlobalConfiguration.get().getSslCheck()) {
+        if (DelphixGlobalConfiguration.get().getSslCheck()) {
             this.defaultClient.setVerifyingSsl(false);
         }
+        this.defaultClient.setConnectTimeout(Constant.TIMEOUT);
+        this.defaultClient.setReadTimeout(Constant.TIMEOUT);
+        this.defaultClient.setWriteTimeout(Constant.TIMEOUT);
         this.defaultClient.setUserAgent(Constant.USER_AGENT);
         this.defaultClient.addDefaultHeader(Constant.CLIENT_NAME_HEADER, Constant.CLIENT_NAME);
         this.defaultClient.setApiKey(apiKey);
  • src/main/resources/io/jenkins/plugins/delphix/DelphixGlobalConfiguration/config.jelly+1 1 modified
    @@ -5,7 +5,7 @@
       <f:textbox />
     </f:entry>
 
-    <f:entry title="SSL certificate check" field="sslCheck" help="/plugin/delphix/help-sslCheck.html">
+    <f:entry title="Disable SSL Certificate Validation" field="sslCheck" help="/plugin/delphix/help-sslCheck.html">
         <f:checkbox default="false" />
     </f:entry>
   </f:section>
  • src/main/webapp/help-sslCheck.html+2 2 modified
    @@ -1,4 +1,4 @@
 <div>
-    (Optional) If checked the plugin would perform a SSL certification check before establishing connection with Data
-    Control Tower(DCT).
+    (Optional) If selected, the plugin will not validate the SSL Certification when establishing a connection with Data
+    Control Tower (DCT). We recommend enabling SSL Certification in production.
 </div>
\ No newline at end of file

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1